Microsoft has discreetly begun informing certain Azure users that a significant security flaw in the Azure App Service has exposed hundreds of source code repositories.
Microsoft's disclosure follows more than two months after it had been disclosed by Israeli cloud security startup Wiz, and only weeks after Redmond secretly patched the weakness and notified "a limited subset of customers" who were thought to be in danger.
The Microsoft Security Response Center highlighted the weakness in an alert as a problem wherein customers can accidentally set the.git folder to be generated in the content root, putting them at risk of unauthorized disclosure of information.
“This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public. We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications,” Microsoft said.
App Service Linux users who launched applications utilizing Local Git after files were generated or updated in the content root directory may be affected, according to the business.
The mix of the.git folder in the content folder and the application that delivers static content renders the program vulnerable to source code leakage, according to Redmond.
The weakness is described in a different technical note by the Wiz research team as the unsafe default behavior in the Azure App Service that disclosed the source code of client applications built in PHP, Python, Ruby, or Node that have been published employing "Local Git." The vulnerability, called "NotLegit," has existed since September 2017 and has most likely been exploited in the wild, according to the business.
The Wiz researchers highlighted exploitation as "extremely easy," adding that there are indications that unidentified malicious actors have already been launching exploits.
“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the company said.
“As this exploitation method is extremely easy, common, and is actively being exploited, we encourage all affected users to overview their application’s source code and evaluate the potential risk,” Wiz added.
Wiz researchers in Israel have already been proactively uncovering and publicizing huge security vulnerabilities in Microsoft's flagship Azure cloud computing platform, with ChaosDB and OMIGOD being two instances.